The UK telecommunications company Colt Technology Services has admitted it suffered a massive data hack, but only after the hacker group WarLock began auctioning the stolen data on the black market. Colt has avoided following traditional and transparent steps to reassure its customers and investors after the hack, and instead provided misleading information intended to minimize the impact. Meanwhile, Colt holds multiple cybersecurity certifications from BSI, accredited by UKAS, including ISO 27001 for information security management and ISO 27701 for privacy management.
Breach and Fallout
According to InfoSecurity Magazine, Colt initially notified customers on August 14 that some data was breached, but that the “system was disconnected from its customer-facing infrastructure.” In reality, customer data was affected and being held for ransom by the WarLock hacking group. WarLock then began auctioning the customer data on the dark web. Per InfoSecurity:
Rather than publicly exposing stolen data, or at least a sample, as most ransomware gangs do in an approach called ‘double extortion,’ Warlock, the group that claimed the attack, is attempting to sell Colt’s compromised information in a private auction set to close on August 27.
As a result of this move, Colt was forced to admit, on August 231, that customer data had been breached. It then “offered its customers the option to request a list of filenames posted on the dark web by calling the company’s dedicated call center.”
According to TechZine:
Colt initially stated that only internal systems had been affected by Warlock. However, extensive investigations have shown that this is not the case. On a new page, the telco states that “some data” has been stolen; customers can request a list to see if they are mentioned by Warlock on the dark web. This does not necessarily correspond to the data that was actually stolen.
In fact, it is the opposite of what should happen. Normally, a company affected by a data breach informs customers that their data may have been stolen. Colt still claims not to know exactly what data has been stolen or whose information is involved. The incident response team is now working continuously with external investigators and forensic experts to determine the scale of the data breach.
False Claims About Certifications
Colt holds ISO 9001 and ISO 27001 certification, both issued by BSI and accredited by the British national accreditation body UKAS.
The Colt website then claims that ISO 27001 certification “ensures that we have a well-defined information security management system (ISMS), a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft.”
Colt also holds BSI certification to ISO 27701, which it describes as “a privacy extension to ISO/IEC 27001.” From the Colt website:
The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
As a result of the hack, it appears none of the statements made by Colt related to their certifications are true.
BSI and UKAS likewise make bold, unsubstantiated claims about cybersecurity-related ISO certifications. On its website, BSI claims ISO 27001 certification will “safeguard personal records and sensitive data to prevent breaches and unauthorized access” and “show a commitment to information security, enhancing trust and confidence.”
The certification body A-LIGN claims that UKAS accreditation of ISO 27001 “ensures the highest standards of competence and integrity“:
UKAS brings an unparalleled level of credibility and accuracy of ISO 27001 and ISO 27701 certifications in the EMEA region, instilling confidence in organizations displaying their dedication to security.
Colt also holds Cyber Essentials Plus certification, which it falsely claims, “ensures that organisations have the appropriate technical controls in place to protect against the most common cybersecurity threats faced in the current landscape.”
In reality, ISO certifications for cybersecurity appear to have little to no effect at all on either a company’s ability to prevent hacks or adequately take action after one occurs. Worse, certification bodies like BSI refuse to withdraw certifications even after their clients are shown to have woefully inadequate information security management systems and/or bungle their responses to hacks afterward.
Related ISO 27001 scandals:
- In 2018, Equifax suffered a highly publicized and massive breach despite holding ISO 27001 certification by EY CertifyPoint. Investigators later found that Equifax’s security hardware was decades old, but it had never been discovered by the third-party auditors.
- In 2019, the international security firm Prosegur was hacked, while holding ISO 27001 certification by AENOR.
- In 2021, NASA contractor Digital Management Inc. suffered a ransomware attack while holding ISO 27001 issued by SRI.
- In 2023, the company Airtable was reported to have been leaking children’s personally identifiable information (PII) while holding an ISO 27001 certification issued by BARR Certifications.
- In 2023, Okta was breached in a hack that affected “all” its customers, while holding an ISO 27001 certification issued by Schellman.
- In 2024, Fidelity Investments was hacked while holding ISO 27001 certification issued by NQA.
- In 2024, AI firm Paradox was breached after it was found using a password of “123456” despite being ISO 27001 certified by A-LIGN.
